Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support multiple basic_auth statements in caddy2 #81

Closed
klzgrad opened this issue Oct 13, 2020 · 9 comments
Closed

Support multiple basic_auth statements in caddy2 #81

klzgrad opened this issue Oct 13, 2020 · 9 comments

Comments

@klzgrad
Copy link
Contributor

klzgrad commented Oct 13, 2020

// TODO: Support multiple basicauths.
if h.BasicauthUser != "" || h.BasicauthPass != "" {
return d.Err("Multi-user basicauth is not supported")
}

Multiple basic_auth statements are not supported because it was not clear what json structure you wanted for doing it @mholt.

Some users are complaining klzgrad/naiveproxy#137.

@mholt
Copy link
Member

mholt commented Oct 13, 2020

Sure, that's something that can be added I'm pretty sure.

@klzgrad
Copy link
Contributor Author

klzgrad commented Oct 13, 2020

I can add it but what json structure you want for doing this?

@klzgrad
Copy link
Contributor Author

klzgrad commented Oct 14, 2020

Hi @mholt, can you choose one json format for multiple basicauths from below so I can start making a PR?

"basicauths": [
  {"user": "me", "password": "hunter"}
]
"users": ["me"],
"passwords": ["hunter"],
"basicauths": [
  ["me", "hunter"]
]

@wiserain
Copy link

wiserain commented Oct 14, 2020

Maybe one more choice for your reference:

In traefik, users can configure multiple basicauths in a list. Below is an example of toml format used in traefik.

# Declaring the user list
[http.middlewares]
  [http.middlewares.test-auth.basicAuth]
    users = [
      "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", 
      "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
    ]

I don't know implementation details but would be nice to use hashed passwords in conf, which is safe to expose in a plain text.

Thanks.

@mholt
Copy link
Member

mholt commented Oct 14, 2020

Thanks for helping with this!

Before we go too far on this, I am quickly skimming the code and realizing that I only brought over the basicauth functionality to get the tests to pass temporarily. Caddy 2 already has a very flexible and capable authentication module that supports basicauth: https://caddyserver.com/docs/modules/http.authentication.providers.http_basic

Ideally we wouldn't have any authentication logic in this proxy module at all, since it exists in that module. However, if it's necessary for probe resistance, then at least we should look into simply embedding that module into this one, rather than re-implementing it.

For an example of this, Caddy's reverse_proxy module embeds the headers module which manipulates request/response headers: https://github.com/caddyserver/caddy/blob/385adf5d878939c381c7f73c771771d34523a1a7/modules/caddyhttp/reverseproxy/reverseproxy.go#L91

What do you think about that? Should be easier and faster right?

@klzgrad
Copy link
Contributor Author

klzgrad commented Oct 15, 2020

Forward proxy in Caddy1 implements its own basicauth to try to avoid side channel attacks with this

if subtle.ConstantTimeCompare(creds, []byte(pa[1])) == 1 {
// Please do not consider this to be timing-attack-safe code. Simple equality is almost
// mindlessly substituted with constant time algo and there ARE known issues with this code,
// e.g. size of smallest credentials is guessable. TODO: protect from all the attacks! Hash?
return nil
}

I'll have to remove this constant time compare if I'm to do it with the authentication module. This mitigation is only theoretical but there are real people waiting to use this feature.

Edit: Ok, the purpose of this constant time compare is to hide the existence of the auth check so to realize probe resistance, i.e. arbitrary auth input regardless of success or not should take the same amount of time. A real test case is that if I craft a Proxy-Authorization header with a very long password, and if it takes more time to process than a short password, this reveals the existence of an auth checking proxy.

I don't think Caddy 2's auth module is capable of constant time authentication. Even hashed password as requested by wiserain above is suspect without audited constant time hashing algorithm.

@ha-ku
Copy link

ha-ku commented May 3, 2021

Any update for this?

@Bryan2333
Copy link

Any update on this?

@klzgrad
Copy link
Contributor Author

klzgrad commented Feb 18, 2024

Fixed after #74

@klzgrad klzgrad closed this as completed Feb 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants